import { Callout, Steps } from "nextra/components"
import { ChatCircleText, GitBranch } from "@/icons"

<h2 className="dark:border-primary-100/10 mt-10 flex flex-row items-center gap-2 border-b border-neutral-200/70 pb-1 text-3xl font-semibold tracking-tight text-slate-900 contrast-more:border-neutral-400 dark:text-slate-100 contrast-more:dark:border-neutral-400">
  <GitBranch className="size-8" /> <span>Supported versions</span>
</h2>

- Security updates are only released for the current `latest` version.
- Old releases are not maintained and do not receive updates.

<Callout>
  `@auth/*` packages (other than the database adapters) are currently under
  development and - unless stated otherwise - they are not considered ready for
  production yet. That said, we encourage you to reach out to us if you have any
  questions or concerns via the below-mentioned channels. We are committed to
  making Auth.js a secure and reliable solution for your authentication needs.
</Callout>

<h2 className="dark:border-primary-100/10 mt-10 flex flex-row items-center gap-2 border-b border-neutral-200/70 pb-1 text-3xl font-semibold tracking-tight text-slate-900 contrast-more:border-neutral-400 dark:text-slate-100 contrast-more:dark:border-neutral-400">
  <ChatCircleText className="size-8" /> <span>Reporting a Vulnerability</span>
</h2>

Auth.js practices responsible disclosure. We request that you contact us directly to report serious issues that might impact the security of sites using Auth.js.

If you contact us regarding a serious issue:

<Steps>

### Getting back to you

We will endeavour to get back to you within 72 hours.

### Publishing a fix

We will aim to publish a fix within 30 days.

### Disclosing the issue

We will disclose the issue ( _and credit you, with your consent_ ) once a fix to resolve the issue has been released.

### 90 days limit

If 90 days have elapsed and we still don't have a fix, we will disclose the issue publicly.

</Steps>

The best way to report an issue is by contacting us via email at info@balazsorban.com, hi@thvu.dev,
yo@ndo.dev and hi@ubbe.dev, or raise a public issue - **without disclosing any sensitive details** - requesting someone get in touch with you via whatever means you prefer for more details.

<Callout type="info">
  For less serious issues (e.g. RFC compliance for unsupported flows or
  potential issues that may cause a problem in the future) it is appropriate to
  make these public as bug reports or feature requests or to raise a question to
  open a discussion around them.
</Callout>
